Crowdsourcing SecOps Through REN-ISAC

Kim Milford, REN-ISAC Executive Director

Chris O’Donnell, REN-ISAC Lead Security Engineer

[ 2 ]

Crowdsourcing CyberSecurity Through REN-ISAC

• Origin Story• Adventures in Crowdsourcing

– Collective Intelligence Framework and Security Event System

– Passive DNS

– Community Interchange

– CSIRT Activities

– HECVAT • Other Community Opportunities

[ 3 ]

Origin Story Use this slide to introduce ajor sections

Remember to remove this tip before presenting!

I’ve spent more time in the past 18 months on cybersecurity than I did during the previous ten years. ”

Dr. Brad Wheeler, Vice President for Information Technology, Indiana University

[ 4 ]

[ 5 ]

VDBIR 2017: Education Sector

REN-ISAC

• Aid and promote cyber security operational protection and response within the higher education and research (R&E) communities.

• Provide a trusted community of representatives at member institutions, and in service to the R&E community at-large.

• Serve as the R&E trusted partner for served networks, the formal ISAC community, and in other commercial, governmental, and private security information sharing relationships.

The REN-ISAC CommunityREN-ISAC Membership, by Institution Type

Type of Institution Nov. 2015 April 2017 GrowthUS College, Private for-profit 1 3 200.0%US College, Private not-for-profit 150 183 22.0%US College, Public 225 258 14.7%Medical Science / Medical Center 12 14 16.7%Non-Medical Department 2 2 0.0%Non-US College 29 35 20.7%Research Center 19 21 10.5%Network 8 10 25.0%Consortium / Univ. Administration 11 16 45.5%

Partner 0 2 -

Grand Total 457 544 19.0%

[ 8 ]

The REN-ISAC Community

[ 9 ]

Security Event System utilizing the Collective Intelligence Framework (CIF)

[ 10 ]

[ 11 ]

SES/CIF Recent Collaborations• 2016: University of Michigan integrated open source threat intelligence into

existing infrastructure• Source data from SES, honeypots, and other sources• CIF as the threat repository• Indicators fed into BIND, SpamAssassin, Bro, custom anti-phishing

Chrome plugin• Shared threat data with other institutions

• 2017: NCSA integrated the current CIF and future CIF features into their “Science DMZ Actionable Intelligence Appliance (SDAIA)” project.

.

[ 12 ]

Evolution of CIF

• Monolithic to modular

• From “HTTP/REST” to P2P real time distribution

• Discovery service for peering

[ 13 ]

NCSA CIF Collaboration: What’s Next

• Have a Honeynet that generates a fair amount of data

• Using/testing the P2P model

• The "smrt" parser from CIF is being used throughout the model

• Initially running over Internet2

[ 14 ]

Collaboration Evolved

• CIF's design and modularity allows it integrate well with existing solutions

• As with the NCSA example, CIF (and by that extension smrt) makes it easier to get the data you want to share out to others

• Larger scale sharing with P2P

[ 15 ]

Passive DNS

REN-ISAC sets the gold standard for threat information sharing in the industry. Farsight Security is proud to help REN-ISAC protect its members from targeted attacks”

Dr. Paul Vixie, CEO and Cofounder, Farsight Security, Inc.

[ 16 ]

What is passive DNS?

[ 17 ]

[ 18 ]

[ 19 ]

[ 20 ]

[ 21 ]

[ 22 ]

[ 23 ]

[ 24 ]

Passive DNS Project - What and Why?

• Current in early stages of project; 4 active contributors; seeking additional

• Exchanging data for product access

• Contributing to “Global Good”

[ 25 ]

Community Collaboration and Crowdsourcing

“The REN-ISAC is a force multiplier”

Anonymous REN-ISAC member representative

[ 26 ]

List Topic 09/2017: Business Email Compromise (BEC)

• Individual indicators were shared

• Correlation by other members confirming if they saw similar emails, and shared further details

• REN-ISAC passes the info to those that can perform action

• Convert indicators to protections via SES

[ 27 ]

List Topic 09/2017: Apache Struts

• Members were able to share details to allow faster responses

• Lots of details

• TL;DR - a lot of accurate operational data was shared in a concise format in a very timely manner

[ 28 ]

Non-Emergency Sharing

• Logging practices and implementation

• Authentication strategies

• Patching and scanning practices

• Vendor and product info and experiences

[ 29 ]

Other REN-ISAC Services

• Daily Watch

• Ops Briefs

• TechBursts

• Member Meetings

• SANS Training Discounts

[ 30 ]

2017 CSIRT ActivityQ1 Q2 Q3 YTD

YTD Q3 2016

Credentials 1,483 3,559 1,096 6,138 1,056,092 Compromised Machines 14,376 16,261 17,600 48,237 54,443 Open Recursive DNS Resolvers 707 357 565 1,629 2,113 Spam or Phish 118 92 93 303 2,314 Open Mail Relays 39 37 30 106 114Other 70 28 14 112 51

Total 24,907 17,777 14,351 15,357 2,270,137

[ 31 ]

2017 CSIRT Activities

1692

923669

378

291

258

251227

209181

Sept 2017 Exploits

WannaCry, 2017Conficker, 2008XcodeGhost, 2015Gozi, 2013Mirai, 2016Bedep, 2015Sality, 2003ZeroAccess, 2013Necurs, 2016Ramnit, 2015

[ 32 ]

DDOS 2017

[ 33 ]

Higher Education Cloud Vendor Assessment Tool (HECVAT)

[ 34 ]

[ 35 ]

Crowdsourcing CyberSecurity Through REN-ISACResources and References

• www.REN-ISAC.net• https://github.com/csirtgadgets/csirtg-smrt-py• www.nist.gov/cyberframework• www.verizonenterprise.com/verizon-insights-lab/dbir/2017/• www.farsightsecurity.com/• https://www.internet2.edu/news/detail/14254/ • https://git.ncsa.illinois.edu/awithers/sdaia

Chris, O’Donnell, REN-ISAC Lead Security Engineer

Thank you!

CROWD-SOURCING SECOPS THROUGH REN-ISAC

Kim Milford, REN-ISAC Executive Director